Darryl Ackernecht wrote:&gt &gt I don't really understand why this would make a difference? Also, I'm not&gt sure if it is that big of problem using PAP - doesn't radius perform&gt encryption between the client and server?

In order to authenticate against the NT SAM, RadiusNT has to have the
clear-text password to pass to the NT API. With CHAP, we don't have that
and therefore can not authenticate against the NT SAM. This same issue
is common on UNIX machines when you try to CHAP auth against a passwd
file: it simply can't be done.